Just a quick survey of what everyone has their users do with persistent spam. Do you have them forward it to you, or just delete? If you have them delete, how do you determine what IP the spam is coming from to block? Or, do you ignore it and hope no one has clicked on it?

Note on forwarding: If the user can drag and drop the email into a new one it will send it as an attachment for better analysis (using OWA or a similar client).

We have POP3, and most spam management is done by our ISP...the best way to train their filter is of course to report it to them (while still in the inbox there). Then what gets past them comes through our firewall with all of its rules and policies and our Network Admin keeping an eye on things. That controls well over 90% of the junk. Outlook junk folder gets a few more.

Beyond all that, if a user complains of excessive spam still getting through, we'll have Outlook leave the messages on the server for a few days so that we can check and report junk there. If it's extremely excessive (we have had folks with hundreds of messages a day getting through on top of what is blocked), they might get a new email address and a stern warning about what they do with it.

Under no circumstances do I encourage forwarding spam or handling it in anyway other than deleting it once it has come through. If we really want a look, they can tell us there is a problem and let us look at it where it already is rather than having users make judgements about what to send and how to whom.

I have them forward it directly to our filter service provider. If I have to forward it then it won't work (which is kinda nice, actually). We're having a larger issue with phishing attacks than we are with spam (Thanks Appriver!)

it depends.. if I see an uptick by a particular address, i'll grab the header and forward it to my 3rd party Spam filtering service, otherwise, I'll just have them forward me the email, and then add a blacklist rule on my filter for that address.

Who do you use for AntiSPAM? If you use Barracuda, you can look up the message in the SPAM appliance and mark it as SPAM which will automatically submit it to Barracuda Central and blacklist it in you appliace for future blocking.

We use McAfee SaaS and so far we have not had a whole lot of issues with spam. Our email flow uses McAfee as our inbound scanner and then we relay our outbound email back through them. If we do get any spam I have them forward it to me then I blacklist the domain or user which ever is the case.

Who do you use for AntiSPAM? If you use Barracuda, you can look up the message in the SPAM appliance and mark it as SPAM which will automatically submit it to Barracuda Central and blacklist it in you appliace for future blocking.

We use an external SaaS spam/AV filter which is then sent to an internal filter. We have had an issue with someone using an internal address to send some spam through.

Forward the email to me as an attachment and I can send it along to our filtering company. I usually preempt it with a "you should only be using your work email for work-related activities, not signing up for mailing lists for your parenting magazines/recipes/coupons/etc." It seems that the vast majority of spam could be cut down if users just had proper training on email usage. It would also help if websites were designed with general mailboxes instead of individual email addresses, but what do I know.

I use a gmail account to sign up for everything, then when I get confirmations I sign in to my profile and change the email if I want to continue any type of relationship with the vendor from there.

We have POP3, and most spam management is done by our ISP...the best way to train their filter is of course to report it to them (while still in the inbox there). Then what gets past them comes through our firewall with all of its rules and policies and our Network Admin keeping an eye on things. That controls well over 90% of the junk. Outlook junk folder gets a few more.

Beyond all that, if a user complains of excessive spam still getting through, we'll have Outlook leave the messages on the server for a few days so that we can check and report junk there. If it's extremely excessive (we have had folks with hundreds of messages a day getting through on top of what is blocked), they might get a new email address and a stern warning about what they do with it.

Under no circumstances do I encourage forwarding spam or handling it in anyway other than deleting it once it has come through. If we really want a look, they can tell us there is a problem and let us look at it where it already is rather than having users make judgements about what to send and how to whom.

We only use Exchange's built in filters and it seems to catch most of it. I don't know how to see statistics in Exchange but I rarely get complaints of spam from users. Most of it seems to be really legit-looking so it comes through, even though it's got weird links and funny sentences. I just tell them to send it to Junk Mail and add the sender to the block list. I think that info goes to the Exchange server but again I don't know how to check that.

With the current state of anti-spam software and appliances, no one should have to manually add domains to blacklists any more, that is close to useless, as these sites are only up for about 24 hours at best and then get closed down. Don't waste your time with that. Get an advanced spam filter and that should get you 99% catch rates. But the real problem often lies with the end-user. They need training!

Humans are the weak link in IT, and you need to create a 'human firewall' by giving your users Security Awareness Training. This is what we do for a living ( fully automated) and system admins LOVE it, as it allows them to get some control over the culprits that case malware infections all the time. Check out our site, and do the free Phishing Security Test:

Have them send it to me as an attachement so I can try and feed it to our baysian filter to improve spam detection.

what product are you using?

Custom rolled Linux box. Using Debian as the OS with Postfix, Postgrey, Amavis-d, ClamAV, and Spamassassin. I can feed Spamassassin emails that are either HAM or SPAM using a couple of python scripts and this will help it learn to differentiate better. Trying to figure out a way to get this to have individual quarantines and let users release their own ham that gets caught (though not much real HAM does get caught)

The reason I say try is I still haven't figured out a way to export mail messages from Outlook 2007 or 2010 as eml files which is what I need to use to run learning scripts.

If it has persistent elements such as regular subject lines or uses a consistent email address I black list it on my spam firewall.

In many cases users aren't getting that much through, so I show them a report of how much spam is blocked and they just delete the occasional message.

+1

I've had users tell me that they have already added "that address" to their client blacklist, and I have to explain that the same/similar emails will come from multiple similar/one-off addresses, so forwarding these will allow me to try to filter it in other ways.

I also tell them how much of out mail is blocked (typically ~85%) just on our first line of the defense, and all of a sudden they don't feel like they are getting that much spam.

We use SpamManager by MessageLabs and it's very thorough. We tell our users to right mouse click on the spam (in Outlook) and choose Junk Mail/Add Sender to blocked sender list. If the employee gets a lot of it from the same domain, we ask them to notify IT and we will block the domain if it's feasible. Usually, our SpamManager is so good, that any employee here who gets large amounts of spam falling into their inbox should question what internet sites they are using to cause it.

I use IMF and utilize barracuda, spamcop, and spamhaus RBL lists and we get very few if any spam emails coming through. The only issue we have is with the "undeliverable" type messages. We have customers that don't take AV seriously and our sales email address is constantly getting hijacked. I've been debating on blocking all undeliverable mail notifications, however, it's an all or nothing strategy that I'm not 100% sold on. Not to hijack this thread but how does everyone else cope with the "undeliverable"-type messages?

Like a lot of people have said, once I tell the users some statistics about spam (that 75% of all mail sent to our domain gets blocked as spam and that only a small percentage of spam ever makes it to their inbox) they stop seeing it as such a huge deal.

We use Postini and don't really get too much spam in the users' inboxes. If a user brings a spam message to my attention, I will send it to spam@postini.com (as attachment, not a forward). I think it's kind of a waste of time to spend 5 or 10 minutes of my day sending this harmless stuff to our spam filter, but it lets the user see that I have done something about it.

Regarding phishing scams and emails containing dirty links, I'm more proactive. I always send these to Postini. I'll also try to set up filters to block them at our domain level. I don't mind when a user gets the occasional ad for knock-off watches or shady discount pharmaceuticals, but the ones that say "click here to track this package you didn't order" or "your administrator wants you to click here to change your password" with a link to a trojan dropper or an infected webpage are definitely something I worry about.

We use Watchguard XTM anti-spam combined with Exchange. Only a few messages get through. Periodically a whole slew of messages gets through for a few hours while Watchguard updates. I have had managers complain on occasion and I show them the percentages - stops the complaining on the spot.

Have them send it to me as an attachement so I can try and feed it to our baysian filter to improve spam detection.

what product are you using?

Custom rolled Linux box. Using Debian as the OS with Postfix, Postgrey, Amavis-d, ClamAV, and Spamassassin. I can feed Spamassassin emails that are either HAM or SPAM using a couple of python scripts and this will help it learn to differentiate better. Trying to figure out a way to get this to have individual quarantines and let users release their own ham that gets caught (though not much real HAM does get caught)

The reason I say try is I still haven't figured out a way to export mail messages from Outlook 2007 or 2010 as eml files which is what I need to use to run learning scripts.

Ditto here, with added additions in postfix to check for spf records and eliminate outside mail that pretends to be from our domain.